From: Yongjian Xu <xuyongjiande@gmail.com>
Date: Wed, 18 Dec 2013 07:45:12 +0000 (+0800)
Subject: char: Int overflow in lp_do_ioctl().
X-Git-Tag: upstream/snapshot3+hdmi~3630^2~53
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1c2de820d66d704c7d6fffdd872b7670eb4e29bb;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

char: Int overflow in lp_do_ioctl().

arg comes from user-space, so int overflow may occur:
	LP_TIME(minor) = arg * HZ/100;

Reported-by: Yongjian Xu <xuyongjiande@gmail.com>
Suggested-by: Qixue Xiao <s2exqx@gmail.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/char/lp.c b/drivers/char/lp.c
index 0913d79..c4094c4 100644
--- a/drivers/char/lp.c
+++ b/drivers/char/lp.c
@@ -587,6 +587,8 @@ static int lp_do_ioctl(unsigned int minor, unsigned int cmd,
 		return -ENODEV;
 	switch ( cmd ) {
 		case LPTIME:
+			if (arg > UINT_MAX / HZ)
+				return -EINVAL;
 			LP_TIME(minor) = arg * HZ/100;
 			break;
 		case LPCHAR: